Periodically clean up direnv permissions

home/features/cli/direnv.nix

@@ -1,4 +1,7 @@
-{ config, ... }: {
+{ config, ... }:
+let statePath = "${config.xdg.dataHome}/direnv/allow";
+in
+{
   programs.direnv.enable = true;
   programs.direnv.nix-direnv.enable = true;
 
@@ -9,7 +12,7 @@
     DIRENV_LOG_FORMAT = "";
   };
 
-  satellite.persistence.at.state.apps.direnv.directories = [
+  # Only save allowed paths for 30d
-    "${config.xdg.dataHome}/direnv/allow"
+  systemd.user.tmpfiles.rules = [ "d ${statePath} - - - 30d" ];
-  ];
+  satellite.persistence.at.state.apps.direnv.directories = [ statePath ];
 }

home/features/neovim/default.nix

@@ -290,6 +290,7 @@ in
     event = "BufReadPost";
 
     opts.enabled = true;
+    # TODO: blacklist harpoon, NeogitStatus
   };
   # }}}
   # {{{ harpoon